[Ach] Fwd: E-Mail Protocol Security Measurements
Aaron Zauner
azet at azet.org
Tue Jul 28 15:17:21 CEST 2015
* Daniel Frank <ach-cert-at-87234 at danielfrank.net> [28/07/2015 15:05:45] wrote:
> Best long term solution might be similar to what XMPP is slowly migrating
> to: SCRAM... allows hashed password storage *and* hashed password on
> the line.
> Not sure if it has other shortcomings though.
SCRAM is certainly a good approach. But clients and servers need to
support that (I think most do). But it needs to be deployed and used
in practice as well.
PAKE is also quite interesting in this regard (I don't think these
are supported anywhere in the e-mail ecosystem, but I may be
misinformed):
https://en.wikipedia.org/wiki/Password-authenticated_key_agreement
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150728/2ac73655/attachment.sig>
More information about the Ach
mailing list